title: Suspicious Invoke-Item From Mount-DiskImage
id: 902cedee-0398-4e3a-8183-6f3a89773a96
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
            - Get-Volume
            - '.DriveLetter'
            - 'invoke-item '
            - '):\'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Suspicious Unblock-File
id: 5947497f-1aa4-41dd-9693-c9848d58727d
status: test
description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Unblock-File '
            - '-Path '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Windows AppX Deployment Full Trust Package Installation
id: e54279c7-4910-4e2c-902c-c56a25b549f6
status: experimental
description: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
references:
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1204.002
    - attack.t1553.005
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 400
        HasFullTrust: true
    filter_main_legitpath:
        PackageSourceUri|startswith:
            - 'file:///C:/Program%20Files/'
            - 'file:///C:/Program%20Files%20(x86)/'
    filter_main_microsoft:
        - PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'
        - PackageSourceUri|contains:
              - '.cdn.microsoft.com'
              - '.cdn.office.net/'
    filter_main_callerprocess:
        CallingProcess|startswith:
            - 'sysprep.exe'
            - 'svchost.exe,AppReadiness'
    filter_optional_x_update:
        PackageSourceUri|startswith: 'x-windowsupdate://'
    filter_optional_microsoftclient:
        PackageFullName|startswith: 'MicrosoftWindows.Client.'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
level: medium

title: Windows AppX Deployment Unsigned Package Installation
id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
related:
    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
      type: similar
    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
      type: similar
status: experimental
description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
references:
    - https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1204.002
    - attack.t1553.005
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 603
        Flags: '8388608'
    condition: selection
falsepositives:
    - Legitimate installation of unsigned packages for legitimate purposes such as development or testing
level: medium

title: Suspicious Mount-DiskImage
id: 29e1c216-6408-489d-8a06-ee9d151ef819
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
    - https://redcanary.com/blog/threat-intelligence/msix-installers/
    - https://redcanary.com/threat-detection-report/techniques/installer-packages/
    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1218
    - attack.t1553.005
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AI_STUBS\AiStubX64Elevated.exe'
            - '\AI_STUBS\AiStubX86Elevated.exe'
            - '\AI_STUBS\AiStubX64.exe'
            - '\AI_STUBS\AiStubX86.exe'
        OriginalFileName: 'popupwrapper.exe'
    condition: selection
falsepositives:
    - Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low